South African banks are collecting a wide range of data about you. They know your age, where you live, what you earn, and what your credit score is.

And if you use a debit or credit card, they’re collecting data about what products and services you buy, and where you buy them from.

This information is gold for advertisers who are desperate to target you with relevant online advertisements.

And while personal information, such as your name and address, linked to your financial history, is widely considered off-limits to third-party vendors, so-called anonymous and aggregated data is largely fair game in the financial world. Which may be one reason why the adverts you see on social media continue to eerily coincide with your lifestyle habits.

Every purchase you make on a debit or credit card allows the banks to learn a bit more about you. And the more they know about you, the better they can refine their own products and services.

But for some time, banks have been using this data for more than just internal improvement and up-selling— some are profiting by allowing third party partners, and even data brokers, to use this information to target you with advertisements.

Banks around the world have been selling data for years

It’s now widely accepted that our personal data is sold and bought several times over. And in the United States,credit card companies have been selling data about purchasers to advertisers for several years already.

Previously, the data that banks sold was fairly broad. Companies like Mastercard would track purchases by area code, establish trends on common purchases in these regions, and then sell this on to the highest bidder, who’d then launch targeted advertising campaigns.

But with the rise of highly targeted online advertising on the likes of Facebook and Google, this data is becoming increasingly more specialised and detailed - and it’s lead to the rise of multi-million dollar companies who trade in it.

For example, American company Acxiom has detailed information on 500 million consumers around the world. For each of these consumers, they have up to 3,000 attributes - identifiers such as race, age, sex, health concerns, and spending habits.

Companies like Acxiom gather these data points from several sources - including online surveys, browsing habits, and national databases. But there are few organisations, apart from Facebook and Google, that have as comprehensive pictures of our personal lives than financial institutions - which represents a significant new revenue stream.

In Australia, at least two of the country’s big banks openly share data withData Republic, a financial technology company that facilitates the secure storage and sale of data.

Although banks are unlikely to share identifiable personal data with companies like Acxiom, many around the world do share what’s loosely called “aggregated and anonymised” data. In other words, data that’s not directly identifiable to you, but is still able to deliver targeted advertisements on your social channels.

South Africa may have stricter legislation than many other countries when it comes to private data and information, and the Protection of Personal Information (POPI) act will further restrict how companies store and use personal data. But, in theory at least, this doesn’t stop financial institutions here from using our spending habits to generate additional income.

Business Insider South Africa reached out to several big banks in South Africa, and dug around in privacy policies, to learn more about what data financial institutions collect and store, and how they use it.

First National Bank

According to First National Bank, it collect your personal information whenever you use its website, complete an application form, contact it electronically, or use one of the services or facilities offered by it, or any affiliate party.

First National Bank’s Chief Data Protection Officer Fernando Moreira said that “FNB processes data in accordance with all applicable privacy and data protection laws. We adopt a multi-layered security approach to safe-guard data. The bank is not able to share propriety information.”

FNB’sprivacy policy expands upon this. It says that the bank may share personal information without your consent if required by law, or driven by the bank’s or public interest. It also reserve the right to share certain personal information of yours with your “implied consent”.

According to its privacy policy, FNB may combine all of the personal information it has about its clients in order to “personalise and tailor” their services to meet their clients’ needs.

It may also use this data to sell you products it deems may be of interest. And with your consent, it also reserve the right to sell your personal information to third parties, for “independent use”.

Standard Bank

Standard Bank collects personal information directly about its clients through direct means, as well as third parties and publicly available sources.

According to the bank’sprivacy policy, it does so in order to meet their responsibilities to its clients, and conduct “ordinary business” such as opening and maintaining accounts. But it also do so for marketing purposes - to “carry out statistical and other analyses to identify potential markets and trends, evaluate and improve our business, and tell you about services and products available within the Group”.

According to Standard Bank’s Ross Linstrom, “Data is one of the core requirements to run any business. Standard Bank’s strategic focus is on putting customers at the centre of everything we do, delivering as far as possible our services and products in a digital way and building universal capabilities. To achieve this requires quality data.”

Linstrom says that where it uses customer data to provide products and services, they “ensure that customers’ consent is obtained or that we are able to process the customer data lawfully. In all our engagements, client confidentially and privacy are guiding principles and we ensure that data sharing is done in a lawful and responsible manner”.

With your consent, Standard Bank will therefore, according to their privacy policy,“use your personal information to tell you about products, services and special offers” from within the group or “other companies that may interest you”.

Nedbank

Nedbank uses personal information that it gathers “during the course of our relationship with you as a client, as well as information about your marketing preferences”.

It collects this information in several ways. Either directly from you, when you complete a physical or electronic form such as an application, or indirectly when you interact with the bank electronically and browse their website, and directly from other sources, “such as public databases, data aggregators and third parties”.

Nedbank will use your personal information to, among other things, “provide you with financial products and services”, and although it says the bank “will not sell your information to third parties and will only market to you in accordance with our legal obligations and your marketing preference”, it does work with third-party data providers provided you consent to this.

According to Nedbank’s Head of Marketing and Communications Joanne Isaacs, “At Nedbank we apply market conduct principles in managing our business processes. These include, but are not limited to opt in/out indicators to process client leads and communication, including ‘Do Not Market’ indicators where generic marketing is concerned.”

“We also do not sell client data, and, while the Protection of Personal Information Act, is not yet enforced, we already align with the Act in the protection of our data and when dealing with clients. As far as transmission of data is concerned, clauses for such data transmission, both local and cross-border, are followed.”

Absa

Absa collects your personal information directly on forms you submit, but also from things like public records, social media, and credit bureaus.

It collects and processes this personal information in line with the purpose for which you provided it, such as opening a bank account, or to enable them to comply with legal requirements, according to itsprivacy policy.

It also uses this personal information for “for historical, statistical or research purposes where the outcomes will not be published in an identifiable format”.

And, according to its privacy policy, “There may be instances where Absa will process your personal information through a secure automated tool, or perform profiling resulting in a decision that may affect you significantly.”

Capitec

Capitec will share your personal information with third parties, provided you have given it consent to do so, according to the bank’sprivacy policy. The company’s privacy policy does not identify under what circumstances they will use this data.

Their privacy policy also details how it monitors web traffic for marketing purposes. Like many websites it makes use ofGoogle’s Remarketing tool “to serve our advertisements to users who visited our website when they visit other websites that are part of Google's advertising network”, as well as Google’s Analytics Demographics and Interest Reporting that allows them to “collect data about age, gender and interest and how you use our website, so that we can optimise your website experience”.

Visa and MasterCard

Both Visa and MasterCard, the two major bank card providers in South Africa, are open about their data and analytics divisions that sell user data to help advertisers better target new customers.

Visa also gathers information on customers to identify those who “spend frequently; are known to buy at various times; spend more during major retail holidays; prefer certain types of trips and visit specific destinations; [are] gift shoppers, online shoppers, subscription spenders, affluent spenders and more.”

Mastercard also has a division that collects user data that they sell to third-party companies. On the MasterCarddata analytics website, it asks the question “What can 2.4 billion global cards, over 65 billion transactions per year, and analytical platforms mean to you?”

Among other services, it offers “Intelligent Targeting” that they claim will “boost the efficiency, effectiveness and ease of acquisition by leveraging Mastercard insights and expertise to design, execute and optimise acquisition campaigns for high-value customers.”

It also provides anonymised and aggregated “transaction-based insights on a merchant’s sales, customer segment behaviour and overall trends to inform credit decisions”.

Payment and financial apps

Then there are other third-party services, like financial management tool 22Seven, and payment apps like Zapper and Snapscan. These companies have access to a significant amount of data, and follow similar privacy policies to the banks - provided you opt in at some point, they can share personal information with third parties.

22Seven is a free service that presumably makes its money by processing and analysing their users’ financial data. According to its privacy policy, it “may aggregate and analyse your 'de-identified' information with that of other customers and information received from other sources.”

It does this “to develop market insights, troubleshoot problems, detect and protect against error, fraud and other criminal activity, identify behaviour and usage patterns, and improve our service generally.”

Payment app SnapScan, owned by Standard Bank, has a clear policy when it comes to data protection. By signing up for the service, you are giving Snapscan express consent to collect and process your personal information to, among other things, “provide any combination of services or analysis linked to the app” as well as to “carry out statistical and other analyses to identify potential markets and trends; and develop new products and services.”

Mobile payment app Zapper also collects both personal and aggregated data that it uses for various purposes. According to the company’s privacy policy, they “collect, use and share aggregated data such as statistical or demographic data for any purpose”.

How to stop banks using your data

It’s safe to assume that, with your consent, most financial institutions are using and sharing some of your data in an anonymous and aggregated manner. Some are likely profiting from it, too.

But quite how and where you consent to this usage is unclear. In some cases, it forms part of the application installation process, and in others, it’s likely buried deep in application form terms and conditions, and difficult to separate from the basic account forms.

If you’re opposed to this, there are some steps you can take. Firstly, you can contact your bank directly to find out if you have consented to their data sharing policies. If so, you can request to opt out from their third party data sharing programmes.

According to the Promotion of Access to Information Act, customers can also request a copy of their information that the institution is holding. It’s probably a good idea to request this anyway, and if it makes you uncomfortable, some institutions may agree to remove or update it. Others, however, may say removing this data prevents them from offering the service, in which case you may need to decide which is more important - privacy or the service they’re offering.